Legal
Privacy Policy
Last updated: July 14, 2026
At Wandermi, we take your privacy seriously. This policy explains how we collect, use, and protect your personal information when you use our travel planning app. We are committed to compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. The minimum age to use Wandermi is 14.
Information We Collect
We collect information you provide directly: your name, email address, public username (@handle), profile photo, travel preferences, and the year of birth you enter at sign-up to verify the minimum age of 14. We also collect the content you create (trip plans, saved destinations, photos, comments, messages, crowd reports, conversations with the AI assistant) and usage data (app interaction patterns) to operate and improve your experience.
How We Use Your Data
Your data is used to personalize your travel experience, provide crowd-level insights, generate recommendations, power the AI travel assistant, keep the service secure, and improve our services. We do not sell your personal information to third parties. Marketing communications are only sent with your explicit opt-in consent and you can withdraw at any time via notification preferences in Settings.
Legal Basis for Processing (GDPR Art. 6)
We process your data under the following legal bases as defined by the General Data Protection Regulation:
• Account data (name, email, username, profile) and the content you create: Contract performance — processing is necessary to provide you with our services (Art. 6(1)(b)).
• AI travel assistant: Contract performance for delivering the assistant (Art. 6(1)(b)); legitimate interest for evaluating and improving it (Art. 6(1)(f)).
• Location data: Consent — we only process your location when you explicitly grant permission (Art. 6(1)(a)). You may withdraw consent at any time via Settings or your device settings.
• Analytics and usage data: Legitimate interest — we analyse usage patterns to improve app performance and user experience, and we produce anonymous aggregate statistics (Art. 6(1)(f)).
• Security and abuse prevention (email verification, device attestation, anti-spam rate limits, content moderation): Legitimate interest (Art. 6(1)(f)).
• Marketing and push notifications: Consent — we send promotional communications only with your opt-in consent (Art. 6(1)(a)). You may withdraw consent at any time via notification preferences in Settings.
Public Profile and Username (@handle)
Every account has a unique public username (@handle). Your public profile data — display name, profile photo and username — is visible to other users on your profile and next to the content you publish. You can change your username from Settings, subject to anti-abuse limits; the previous username then becomes available to other users. Your username is included in your data export and is deleted when you delete your account. Legal basis: contract performance.
AI Travel Assistant
Wandermi includes a travel assistant based on generative AI (model provider: Google).
• Data sent to the model: the text of your messages, the context of the trip you are planning (destinations, dates, interests) and a travel-preferences profile built from your previous conversations. We do not send your email address or your exact GPS position.
• Where the model runs: the assistant runs on Google Cloud Vertex AI in the European Union (region europe-west1). Google acts as our processor under Art. 28 GDPR on the basis of the Google Cloud Data Processing Addendum, and does not use your prompts or the model outputs to train its own models. Your conversations are processed within the EU.
• Memory: we store (i) your conversation history, (ii) a persistent traveller profile built from your conversations across trips, and (iii) a per-trip memory, so that the assistant keeps context between sessions. You can archive or rename sessions in the app.
• Retention and deletion: conversations and both AI memories are retained while your account is active and are deleted when you delete your account. They are included in your data export. Separately, pseudonymised copies (without direct identifiers) are kept to evaluate and improve the assistant: conversation text for a maximum of 12 months, technical metrics for a maximum of 24 months — see "Analytics Warehouse" for what happens to those copies when you delete your account.
• Accuracy: answers are generated automatically and may contain errors or out-of-date information. You can report any answer by long-pressing the message in the chat.
• Legal basis: contract performance (delivering the assistant) and legitimate interest (evaluating and improving it). You can object to the improvement processing by writing to privacy@wandermi.com.
Location Data
With your permission, we use your location for the following purposes:
• Crowd reports: the report other users see stores approximate coordinates only (rounded to ~1 km precision). The exact coordinates of the point you reported are stored separately, in a restricted-access collection that client applications cannot read: they are never shown to other users and are never shared with third parties. They are included in your data export and are deleted when you delete your account.
• Dwell detection: we derive aggregated time-spent-at-a-place values. We do not record your continuous GPS trail and we do not track your movements.
• Statistics shared with public bodies are anonymous and aggregated only.
You can disable location sharing at any time from Settings → Location or from your device settings; the app remains usable. Legal basis: consent (Art. 6(1)(a)), which you may withdraw at any time; legitimate interest for the production of aggregate statistics.
Sharing Itineraries via Public Link
You can generate a public link to share an itinerary. Anyone holding the link can view the shared content (itinerary, stops, any photos included), including people without a Wandermi account and outside the app, for as long as the link is active. Consider carefully what you share and with whom.
You can deactivate the link at any time from the sharing settings: deactivation makes the content immediately inaccessible through the link, but has no effect on copies already saved by third parties. Active links are included in your data export and are deleted when you delete your account. Legal basis: contract performance (a feature you request).
Push Notifications and Email Verification
• Push notifications: with your permission we send you notifications (messages, invitations, crowding alerts, social activity). We store a notification token associated with your device, transmitted to our provider Expo (United States, under EU Standard Contractual Clauses); the token is removed when you log out. You can manage each category from Settings → Notifications or disable notifications from your operating system.
• Notification language: we store your app language so that notifications reach you in the language you use.
• Email verification: when you register with an email address we send you a verification message; verification is required in order to use the account, for security and abuse-prevention purposes. Legal basis: legitimate interest (Art. 6(1)(f)).
Device Integrity and Anti-Abuse (App Check)
To protect the service against automated abuse (bots, scripts, fake accounts), the app uses device attestation mechanisms provided by Apple (App Attest / DeviceCheck) and Google (Play Integrity) through Firebase App Check. These services verify that requests come from a genuine copy of the app running on an authentic device, generating technical tokens that are not used to profile you and are not used for advertising. Legal basis: legitimate interest in the security of the service (Art. 6(1)(f)).
Data Sharing
We share data only with trusted service providers who help us operate Wandermi. All partners are bound by strict data protection agreements. We do not sell your personal data.
Sub-processors
We use the following sub-processors to deliver our services:
• Google Firebase (Cloud Firestore, Authentication, Cloud Storage, App Check) — United States. Data transfers are governed by EU Standard Contractual Clauses (SCCs).
• Google Cloud Platform (Cloud Functions, region europe-west1) — European Union.
• Google Cloud Vertex AI (region europe-west1) — European Union. Provides the generative model that powers the AI travel assistant. Google acts as a processor under the Google Cloud Data Processing Addendum and does not use your prompts or the model outputs to train its own models. Processing takes place within the EU.
• Google Cloud BigQuery (region europe-west1) — European Union. Used as an analytics data warehouse to understand and improve the app, evaluate and improve the AI travel assistant, and produce anonymous aggregated statistics. Covered by Google's Data Processing Addendum and EU Standard Contractual Clauses. Data is processed within the EU.
• Expo (EAS) — United States. Used for push notification delivery. Data transfers are governed by EU Standard Contractual Clauses (SCCs).
• Mapbox — United States. Used for map display and geolocation services. Telemetry data collection is optional and can be disabled in Privacy Settings. Data transfers are governed by EU Standard Contractual Clauses (SCCs).
• RevenueCat — United States. Subscription management infrastructure. Paid subscriptions are not active in Wandermi (see "Paid Features"): the SDK is present in the app but no transaction or billing data is currently processed. Were paid features to be activated, RevenueCat would receive only an anonymous user identifier and Apple/Google transaction metadata — no email or other personal data. Data transfers are governed by EU Standard Contractual Clauses (SCCs).
• Sentry — Germany (EU data residency). Used for error monitoring and crash reporting. Captures stack traces, app version, OS version, and an anonymised device identifier; no email or other personal data is captured unless explicitly attached.
• Microsoft 365 (Outlook — hosted by Microsoft Ireland Operations Limited) — European Union. Used to host institutional mailboxes (support@, privacy@, legal@) and process inbound communications you send to us. The standard Microsoft Online Services DPA applies.
Data Retention Periods
We retain your data for the following periods:
• Account data (name, email, username, profile photo, travel preferences): retained while your account is active. Deleted when you delete your account.
• Messages: retained for a maximum of 12 months; messages older than 365 days are deleted automatically. Messages you sent are also deleted when you delete your account.
• Trip data (trip plans, saved destinations, photos): retained while your account is active. When you delete a trip it enters a 30-day recovery period during which it can be restored; after 30 days the trip and all associated data are permanently deleted. All trip data is also deleted when you delete your account.
• AI assistant conversations and memories (traveller profile, per-trip memory): retained while your account is active. Deleted when you delete your account.
• Location data: the approximate coordinates (~1 km) stored with the crowd reports you submit, and the exact coordinates held separately with restricted access, are retained until you delete your account.
• Push notification token: removed when you log out.
• Pseudonymised copies in the analytics warehouse: AI conversation text for a maximum of 12 months; AI technical metrics for a maximum of 24 months; other analytics events for a maximum of 26 months. See "Analytics Warehouse" below.
Analytics Warehouse, AI Improvement and Aggregate Statistics
We use an analytics data warehouse (Google Cloud BigQuery, EU region europe-west1) for three purposes: (a) to understand how the app is used and improve it; (b) to evaluate and improve our AI travel assistant; and (c) to produce anonymous, aggregated statistics about tourist flows and overcrowding.
• Pseudonymisation and residency: records sent to the warehouse do not carry your name, your email or your raw account identifier — the identifier is replaced by a pseudonym (a keyed hash). All processing takes place within the EU under Google's DPA and EU Standard Contractual Clauses.
• AI improvement: conversations with the AI assistant may be used in pseudonymised form to evaluate and improve the assistant. Legal basis: legitimate interest. You can object by writing to privacy@wandermi.com.
• Aggregate statistics (B2G): statistics shared with public bodies or destination management organisations are anonymous only — they contain no information that can identify you, and minimum aggregation thresholds are applied so that no individual can be singled out. We never sell your personal data.
• Deletion — what actually happens when you delete your account: we delete your data from our operational systems (database and file storage) — profile, username, trips, photos, messages, AI conversations and memories, share links, and the exact coordinates of your crowd reports. The pseudonymised copies already transferred to the analytics warehouse are NOT individually removed at that moment: they no longer carry your account identifier and are retained until the end of their retention period (AI conversation text up to 12 months; AI technical metrics up to 24 months; other analytics events up to 26 months), after which they are deleted. Anonymous aggregates already produced are not personal data and are retained. If you want us to remove the pseudonymised records relating to you before that, write to privacy@wandermi.com before deleting your account, so that we are able to identify them.
Third-Party Data Sources
To show estimated busy times for popular places, we use publicly available aggregate "popular times" data from Google Maps, collected periodically for a curated set of well-known venues. This data is aggregate and anonymous — it contains no personal information about you or any other identifiable person. It is stored as a permanent baseline, refreshed approximately once a year, and is never shared or resold in raw form to third parties.
Messaging & Chat
Wandermi includes an in-app messaging feature that allows you to communicate with other travellers and to share trip plans, photos, polls and locations.
• Encryption: all messages are encrypted in transit (TLS 1.2+) and at rest (AES-256). End-to-end encryption is not currently implemented; this allows the server-side moderation and content reporting required by the EU Digital Services Act (Regulation (EU) 2022/2065).
• Content stored: message text, attached media (photos), polls, locations, reactions, reply context, and edit/pin metadata. Read receipts are stored to power conversation unread counts.
• Moderation: we apply automated rate limits (maximum 40 messages per minute and 300 per hour per sender) and we process user reports. Reported content is reviewed and may be removed; abusive accounts may be suspended.
• Reporting illegal content: you can report any message via the long-press menu → Report. Reports are reviewed by our moderator, normally within 48 hours.
• Editing and deletion: you may edit your messages within 15 minutes of sending and delete them at any time. Deleting your account deletes the messages you have sent.
• Push notifications: message previews may appear in push notifications. You can disable previews via Settings → Notifications.
• Minors: per GDPR Article 8 and the Italian implementation, the minimum age to use messaging is 14 years.
Your Rights (GDPR Art. 15–22)
Under the General Data Protection Regulation, you have the following rights regarding your personal data:
• Right of access and to data portability (Art. 15 and 20): use "Export my data" in Settings to download a complete JSON file of your data, including your conversations with the AI assistant.
• Right to rectification (Art. 16): correct your personal data at any time via Edit Profile.
• Right to erasure (Art. 17): use "Delete account" in Settings. This removes from our operational systems your account, content, messages, AI conversations and memories, username, share links and the exact coordinates of your crowd reports. For the pseudonymised copies in the analytics warehouse, see "Analytics Warehouse" above.
• Right to object and to withdraw consent (Art. 21): you can disable location from Settings → Location and notifications from Settings → Notifications at any time. To object to the processing of pseudonymised data for analytics and for AI improvement, write to privacy@wandermi.com.
• Right to lodge a complaint: you may lodge a complaint with the Italian supervisory authority (Garante per la protezione dei dati personali) or with the supervisory authority of your country of residence.
• Re-acceptance: if we make significant changes to the Terms or to this Policy, we will ask you to accept them again the next time you open the app; if you do not accept, access to the service is suspended.
To exercise any of these rights, contact us at privacy@wandermi.com or use the corresponding feature in the app.
International Data Transfers
Some of your personal data may be transferred to and processed in the United States, where some of our service providers are located (Firebase, Expo, Mapbox, RevenueCat). These transfers are safeguarded by EU Standard Contractual Clauses (SCCs) approved by the European Commission. The processing carried out by the AI assistant and by the analytics warehouse takes place within the European Union (region europe-west1).
Privacy Contact
We are not required to designate a Data Protection Officer under Article 37 GDPR: we are not a public authority, our core activities do not involve large-scale processing of special categories of data, and we do not carry out regular and systematic monitoring of data subjects on a large scale. We keep this assessment under review and will appoint a Data Protection Officer if the conditions change.
For any question about how we handle your personal data, or to exercise your rights under the GDPR, write to privacy@wandermi.com. You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) or with the supervisory authority of your country of residence.
Paid Features
Wandermi is currently free: there are no active subscriptions or in-app purchases, and we do not process any payment data. Features shown in the app as "coming soon" (for example a premium subscription or printed photo albums) are not active.
Our subscription management infrastructure (RevenueCat) is present in the app but processes no transactions while paid features are inactive. If paid features are activated, we will inform you in advance and update this Policy. In any case, payments would be processed exclusively by Apple (App Store) on iOS and Google (Play Store) on Android: we would never collect or store your payment card details or your billing address.
Photo Albums (Future Service — Peecho)
Wandermi plans to offer optional printed photo albums in a future release. When this feature becomes available:
• Sharing: only the data strictly necessary to fulfil your order will be shared with our printing partner Peecho (based in the Netherlands, EU): your shipping name, shipping address, the photos you explicitly select for the album, and the order details.
• No other data shared: we will not share your account email, travel plans, or any other personal information with Peecho.
• Explicit opt-in per order: this feature requires explicit consent each time you place an order. No data is shared without an active order.
• Current status: as of the current release this feature is not active. No data has been or is being shared with Peecho. We will update this Policy and notify users in-app before the feature becomes operational.
Security
We implement industry-standard security measures including encryption in transit (TLS 1.2+) and at rest (AES-256) to protect your personal information from unauthorised access. Requests to our backend are verified through device attestation (Firebase App Check). The exact coordinates of crowd reports are held in a restricted-access collection that client applications cannot read. Access to production systems is restricted to authorised personnel and protected by multi-factor authentication.
Questions about our privacy practices? Contact us at privacy@wandermi.com